oss-sec mailing list archives
Re: OpenSSL seven security fixes
From: Solar Designer <solar () openwall com>
Date: Thu, 5 Jun 2014 17:54:53 +0400
On Thu, Jun 05, 2014 at 04:43:25PM +0400, Solar Designer wrote:
The distros list was informed of the upcoming OpenSSL release a few days in advance, but detail on the vulnerabilities was being provided separately, on request from each specific distro individually (PGP encrypted). Overall, I'd say the advance notification to distros was just right - not too much (only a few days), not too little (just enough), and without unnecessarily exposing the detail to distros who wouldn't need it. A bit worrying is the statement that the "issue was reported to OpenSSL on 1st May 2014", though, but I appreciate the OpenSSL team making that statement (it's in the advisory).
Mark Cox, who was providing vulnerability detail to individual distros, has just posted the timeline: https://plus.google.com/+MarkJCox/posts/L8i6PSsKJKs --- Here is the timeline from my (OpenSSL) perspective for the recent CCS Inject MITM vulnerability as well as the other flaws being fixed today. ** SSL/TLS MITM vulnerability (CVE-2014-0224) 2014-04-22 (Date we were told the reporters shared the issue with JPCERT/CC) 2014-05-01 JPCERT/CC make first contact with OpenSSL security 2014-05-02 JPCERT/CC send detailed report and reproducer to OpenSSL security 2014-05-09 CERT/CC make first contact with OpenSSL security and send an updated report 2014-05-09 OpenSSL verify the issue and assign CVE-2014-0224 2014-05-12 JPCERT/CC contact OpenSSL with updated reproducer 2014-05-13 OpenSSL start communication directly to reporters to share updated patch and other technical details 2014-05-21 JPCERT/CC notify OpenSSL they have notified "vendors who have implemented OpenSSL in their products" under their framework agreement 2014-05-21 CERT/CC request permission to prenotify vendors of the issue 2014-05-21 OpenSSL work with two major infrastructure providers to test the fix and ensure the fix is sufficient 2014-06-02 CERT/CC notify their distribution list about the security update but with no details 2014-06-02 "OS distros" private vendor list is given headsup and ability to request the patches and draft advisory (0710). Told Red Hat (0710) Debian (0750) FreeBSD (0850), AltLinux (1050), Gentoo (1150), Canonical (1150), IBM (1700), Oracle (1700), SUSE (2014-06-03:0820), Amazon AMI (2014-06-03:1330), NetBSD/pkgsrc (2014-06-04:0710), Openwall (2014-06-04:0710) 2014-06-02 Red Hat find issue with patch (1400), updated patch sent to vendors 2014-06-02 Canonical find regression with patch (1700), Stephen produces updated patch, sent to vendors (1820) 2014-06-03 "ops-trust" (1015) and selected OpenSSL Foundation contracts (0820) are told a security update will be released on 2014-06-05 but with no details 2014-06-05 Security updates and advisory is released ** DTLS recursion flaw (CVE-2014-0221) 2014-05-09 Reporter contacts OpenSSL security 2014-05-09 OpenSSL contacts reporter with possible patch for verification 2014-05-16 Reporter confirmes patch 2014-05-18 OpenSSL tells reporter CVE name 2014-06-02 "OS distros" notification as above 2014-06-03 OpenSSL lets reporter know the release date 2014-06-05 Security updates and advisory is released ** DTLS invalid fragment vulnerability (CVE-2014-0195) 2014-04-23 HP ZDI contact OpenSSL security and pass on security report 2014-05-29 OpenSSL let ZDI know the release date 2014-06-02 "OS distros" notification as above 2014-06-05 Security updates and advisory is released ** Anonymous ECDH denial of service (CVE-2014-3470) 2014-05-28 Felix Grbert and Ivan Fratri at Google report to OpenSSL 2014-05-29 OpenSSL tell reporters CVE name and release date 2014-06-02 "OS distros" notification as above 2014-06-05 Security updates and advisory is released (All times UTC) --- On Twitter, Mark (@iamamoose) pointed out that "by telling OS vendors in advance we actually caught two problems with the patches!", I guess referring to these two timeline entries: 2014-06-02 Red Hat find issue with patch (1400), updated patch sent to vendors 2014-06-02 Canonical find regression with patch (1700), Stephen produces updated patch, sent to vendors (1820) Alexander
Current thread:
- OpenSSL seven security fixes Solar Designer (Jun 05)
- Re: OpenSSL seven security fixes Solar Designer (Jun 05)
- Re: OpenSSL seven security fixes Solar Designer (Jun 05)
- Re: OpenSSL seven security fixes Solar Designer (Jun 05)